IETF Logo Mail Archive

Re: [jose] DISCUSS: Nonce/Timestamp parameter

Dick Hardt <dick.hardt@gmail.com> Mon, 27 August 2012 19:11 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6890B21F852B for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 12:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.571
X-Spam-Level:
X-Spam-Status: No, score=-3.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bmz+PECo19sn for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 12:11:41 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id E59B121F8512 for <jose@ietf.org>; Mon, 27 Aug 2012 12:11:40 -0700 (PDT)
Received: by dadf8 with SMTP id f8so2684439dad.31 for <jose@ietf.org>; Mon, 27 Aug 2012 12:11:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=sBOJ/zuhIfTxurMdzordjX7A9XiCL9JGufijfBTVu0k=; b=HPKwIIEb250UR0HdFeqkgvivzmU4zH8xuEWf0w11cl15OsSsAKL1qKJFp7gdgFrt1g ArQpzXXvyfHj8s1TEiZpZqSmgJ+91+5LSECtrbZdgDAYkiVdMxRNtArikgVKtJ1AYUpS Alo5s73TL/wdgl3boSV4i/She6o3/ksPcd2ps8Bvycg080bvKxuYDl6NntfceqkZYKhT p60lxL3kxmYIeNMx1DhBZzYLEmaN6WCe6goapwuKjQo/Jdz2qxW+9vDfSYs+YYGo1N1s lsqfXpJBwgQxn2t6rdaZLy8JfT7i0aWpBnJp56OtczeG6HZU3U6dUshjhaFaoz8sHu3d pjAg==
Received: by 10.68.227.165 with SMTP id sb5mr36474794pbc.82.1346094700615; Mon, 27 Aug 2012 12:11:40 -0700 (PDT)
Received: from [10.0.0.58] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id oj8sm15246521pbb.54.2012.08.27.12.11.36 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 27 Aug 2012 12:11:39 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <CE8995AB5D178F44A2154F5C9A97CAF402517E00C0E7@HE111541.emea1.cds.t-internal.com>
Date: Mon, 27 Aug 2012 12:11:35 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <8777DAED-4ADA-4691-B5CD-0E5CF308BC1C@gmail.com>
References: <CE8995AB5D178F44A2154F5C9A97CAF402517E00B8B5@HE111541.emea1.cds.t-internal.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00C0E7@HE111541.emea1.cds.t-internal.com>
To: Axel.Nennker@telekom.de
X-Mailer: Apple Mail (2.1486)
Cc: ietf@augustcellars.com, jose@ietf.org
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 19:11:41 -0000

I have an application for JWT that is not OAuth2. 

Having said that, nonce's are difficult to implement at scale and I have heard of many sites that don't implement them fully.

On Aug 27, 2012, at 12:06 PM, Axel.Nennker@telekom.de wrote:

> I vote: NO
> 
> I think that nonce does make sense in signing or encryption because it only makes sense in a protocol exchange. 
> Maybe there is some justification for nonce in jwt but if jwt is used with oauth2 then we already have state.
> 
> Could one of the six who voted yes please explain why nonce is useful?
> 
> Axel
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Nennker, Axel
> Sent: Monday, August 27, 2012 10:37 AM
> To: ietf@augustcellars.com; jose@ietf.org
> Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
> 
> What is the base specification? https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 ?
> I think that nonce and timestamp are protocol specific fields and that JOSE is not about protocols. There are no round-trips in JOSE.
> The cryptographic algorithms used in JOSE are secure enough without nounce and timestamp.
> 
> Axel
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad
> Sent: Friday, August 17, 2012 9:05 AM
> To: jose@ietf.org
> Subject: [jose] POLL: Nonce/Timestamp parameter
> 
> <CHAIR>
> 
> If you voted at the face-2-face please do not vote again.  If you want to provide comments please change the title from POLL to DISCUSS.
> 
> Do we need to define a nonce/timestamp parameter in the base specification?
> 
> 
> 
> Room vote:  6 yes, 0 no, 1 discuss
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.43.4 | Report a Bug | By Email | System Status